dereference TrustProfileRefs

Author: enriquepablo

src/pyff/builtins.py

@@ -1039,7 +1039,7 @@ def _discojson_sp(req, *opts):
     if req.t is None:
         raise PipeException("Your pipeline is missing a select statement.")
 
-    res = discojson_sp_t(req.t)
+    res = discojson_sp_t(req)
 
     return json.dumps(res)
 

src/pyff/resource.py

@@ -239,6 +239,7 @@ def __init__(self, url: Optional[str], opts: ResourceOpts):
         self.last_parser: Optional['PyffParser'] = None  # importing PyffParser in this module causes a loop
         self._infos: Deque[ResourceInfo] = deque(maxlen=config.info_buffer_size)
         self.children: Deque[Resource] = deque()
+        self.trust_info: Optional[dict] = None
         self.md_sources: Optional[dict] = None
         self._setup()
 
@@ -493,6 +494,13 @@ def parse(self, getter: Callable[[str], Response]) -> Deque[Resource]:
 
         return self.children
 
+    def global_trust_info(self):
+        trust_info = {}
+        for r in self.walk():
+            if r.url and r.trust_info is not None:
+                trust_info[r.url] = r.trust_info['profiles']
+        return trust_info
+
     def global_md_sources(self):
         from pyff.samlmd import SAMLParserInfo
 

src/pyff/samlmd.py

@@ -93,7 +93,7 @@ def parse_saml_metadata(
     :param base_url: use this base url to resolve relative URLs for XInclude processing
     :param validation_errors: A dict that will be used to return validation errors to the caller
 
-    :return: Tuple with t (ElementTree), expire_time_offset, exception
+    :return: Tuple with t (ElementTree), trust_info, expire_time_offset, exception
     """
 
     if validation_errors is None:
@@ -108,6 +108,9 @@ def parse_saml_metadata(
 
         t = check_signature(t, opts.verify)
 
+        trust_info = None
+        extensions = t.find('{%s}Extensions' % NS['md'])
+
         if opts.cleanup is not None:
             for cb in opts.cleanup:
                 t = cb(t)
@@ -132,18 +135,20 @@ def parse_saml_metadata(
                 t = entitiesdescriptor(
                     [t], base_url, copy=False, validate=True, filter_invalid=filter_invalid, nsmap=t.nsmap
                 )
+            elif t.tag == "{%s}EntitiesDescriptor" % NS['md'] and extensions is not None:
+                trust_info = discojson_sp(extensions)
 
     except Exception as ex:
         log.debug(traceback.format_exc())
         log.error("Error parsing {}: {}".format(base_url, ex))
         if opts.fail_on_error:
             raise ex
 
-        return None, None, ex
+        return None, None, None, ex
 
     log.debug("returning %d valid entities" % len(list(iter_entities(t))))
 
-    return t, expire_time_offset, None
+    return t, trust_info, expire_time_offset, None
 
 
 class SAMLParserInfo(ParserInfo):
@@ -162,7 +167,7 @@ def magic(self, content: str) -> bool:
 
     def parse(self, resource: Resource, content: str) -> SAMLParserInfo:
         info = SAMLParserInfo(description='SAML Metadata', expiration_time='')
-        t, expire_time_offset, exception = parse_saml_metadata(
+        t, trust_info, expire_time_offset, exception = parse_saml_metadata(
             unicode_stream(content),
             base_url=resource.url,
             opts=resource.opts,
@@ -184,6 +189,9 @@ def parse(self, resource: Resource, content: str) -> SAMLParserInfo:
             for e in iter_entities(t):
                 info.entities.append(e.get('entityID'))
 
+        if trust_info is not None:
+            resource.trust_info = trust_info
+
         if exception is not None:
             resource.info.exception = exception
 
@@ -890,7 +898,8 @@ def fetch_mdjson(urls):
 
     entities = []
     for child in resource.children:
-        entities.extend(child.t.findall(".//{%s}EntityDescriptor" % NS['md']))
+        if child.t is not None:
+            entities.extend(child.t.findall(".//{%s}EntityDescriptor" % NS['md']))
 
     ot = entitiesdescriptor(entities, 'extra-sources')
 
@@ -903,7 +912,7 @@ def fetch_mdjson(urls):
     return entities_json
 
 
-def discojson_sp(e):
+def discojson_sp(e, global_trust_info=None, global_md_sources=None):
     sp = {}
 
     tinfo_el = e.find('.//{%s}TrustInfo' % NS['ti'])
@@ -945,14 +954,26 @@ def discojson_sp(e):
             include = include if type(include) is bool else include in ('t', 'T', 'true', 'True')
             sp['profiles'][name]['entities'].append({'select': select, 'match': match, 'include': include})
 
+    if global_trust_info is not None and global_md_sources is not None:
+        for profileref_el in tinfo_el.findall('.//{%s}TrustProfileRef' % NS['ti']):
+            refname = profileref_el.text
+            sources = global_md_sources[sp['entityID']]
+            for source in sources:
+                if refname in global_trust_info[source]:
+                    sp['profiles'][refname] = global_trust_info[source][refname]
+                    break
+
     return sp
 
 
-def discojson_sp_t(t):
+def discojson_sp_t(req):
     d = []
+    t = req.t
+    global_tinfo = req.md.rm.global_trust_info()
+    global_sources = req.md.rm.global_md_sources()
 
     for e in iter_entities(t):
-        sp = discojson_sp(e)
+        sp = discojson_sp(e, global_trust_info=global_tinfo, global_md_sources=global_sources)
         if sp is not None:
             d.append(sp)
 

src/pyff/test/data/metadata/edugain-trustinfo-2.0.xml

@@ -1,5 +1,16 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xrd="http://docs.oasis-open.org/ns/xri/xrd-1.0" xmlns:pyff="http://pyff.io/NS" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ser="http://eidas.europa.eu/metadata/servicelist" xmlns:eidas="http://eidas.europa.eu/saml-extensions" xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" xmlns:samla="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF" xmlns:req-attr="urn:oasis:names:tc:SAML:protcol:ext:req-attr" Name="test"><md:EntityDescriptor entityID="https://cpauth.icos-cp.eu/saml/cpauth">
+<md:EntitiesDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:mdui="urn:oasis:names:tc:SAML:metadata:ui" xmlns:mdattr="urn:oasis:names:tc:SAML:metadata:attribute" xmlns:mdrpi="urn:oasis:names:tc:SAML:metadata:rpi" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:xrd="http://docs.oasis-open.org/ns/xri/xrd-1.0" xmlns:pyff="http://pyff.io/NS" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ser="http://eidas.europa.eu/metadata/servicelist" xmlns:eidas="http://eidas.europa.eu/saml-extensions" xmlns:alg="urn:oasis:names:tc:SAML:metadata:algsupport" xmlns:samla="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:init="urn:oasis:names:tc:SAML:profiles:SSO:request-init" xmlns:idpdisc="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol" xmlns:wayf="http://sdss.ac.uk/2006/06/WAYF" xmlns:req-attr="urn:oasis:names:tc:SAML:protcol:ext:req-attr" Name="test">
+    <md:Extensions>
+      <ti:TrustInfo xmlns:ti="https://seamlessaccess.org/NS/trustinfo">
+         <ti:TrustProfile name="customer2" strict="true">
+           <ti:DisplayName xml:lang="en">Customer Access</ti:DisplayName>
+           <ti:DisplayName xml:lang="sv">Kundinloggning</ti:DisplayName>
+           <ti:FallbackHandler profile="href">https://www.example.org/about</ti:FallbackHandler>
+           <ti:TrustedEntities match="registrationAuthority">https://www.carsi.edu.cn</ti:TrustedEntities>
+         </ti:TrustProfile>
+      </ti:TrustInfo>
+    </md:Extensions>
+  <md:EntityDescriptor entityID="https://cpauth.icos-cp.eu/saml/cpauth">
   <md:Extensions>
     <mdrpi:RegistrationInfo registrationAuthority="http://www.swamid.se/" registrationInstant="2015-02-11T11:09:51Z">
       <mdrpi:RegistrationPolicy xml:lang="en">http://swamid.se/policy/mdrps</mdrpi:RegistrationPolicy>
@@ -29,12 +40,7 @@
   <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
     <md:Extensions>
       <ti:TrustInfo xmlns:ti="https://seamlessaccess.org/NS/trustinfo">
-         <ti:TrustProfile name="customer" strict="true">
-           <ti:DisplayName xml:lang="en">Customer Access</ti:DisplayName>
-           <ti:DisplayName xml:lang="sv">Kundinloggning</ti:DisplayName>
-           <ti:FallbackHandler profile="href">https://www.example.org/about</ti:FallbackHandler>
-           <ti:TrustedEntities match="registrationAuthority">http://www.swamid.se/</ti:TrustedEntities>
-         </ti:TrustProfile>
+        <ti:TrustProfileRef>customer2</ti:TrustProfileRef>
       </ti:TrustInfo>
       <init:RequestInitiator Binding="urn:oasis:names:tc:SAML:profiles:SSO:request-init" Location="https://cpauth.icos-cp.eu/saml/login"/>
       <mdui:UIInfo>